Support 2FA --otp=123456
#1091
Comments
|
I'm worried that we'll have to re-prompt if publishes start failing (due to expired TOTP). Really exposes how un-tested and gnarly our current publish failure handling is. :/ |
|
Yeah that's what happened, also since we published like 100 pkgs and it would expire in between (had to just turn it off) |
|
To help people in the short term, perhaps npm's tokens could help. Creating a wrapper script to generate a token, adding it to your Docs: https://docs.npmjs.com/getting-started/working_with_tokens |
|
For people finding this through Google, I'd like to point out that a good workaround is to set the NPM_CONFIG_OTP=123456 lerna publish |
|
The above solution doesn't seem to work with Yarn & lerna as a devDep, eg: NPM_CONFIG_OTP=123456 yarn lerna publishIt still fails on the OTP during publication 😞 |
|
Because it’s using yarn to publish now, and who knows if they’re compatible with npm 2FA?
… On Mar 4, 2018, at 21:17, James Hegedus ***@***.***> wrote:
The above solution doesn't seem to work with Yarn & lerna as a devDep, eg:
NPM_CONFIG_OTP=123456 yarn lerna publish
It still fails on the OTP during publication 😞
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Fair point. I was under the impression that Yarn read all of npm's configs, wishful thinking. A note for others nonetheless. |
|
Yarn's issue: yarnpkg/yarn#4904 |
|
+1 for lerna to prompt for this, although |
|
@iarna (from the npm team) suggested running |
|
As a result of the recent compromise, I'd love to be able to enforce 2FA across our org. Is there a way to do the |
|
One thing to be aware of is npm/npm#19425. 2FA OTP may timeout during the upload process and thus fail the publish. This is even the case for single npm uploads, so may be also common in lerna context. I'm not saying that 2FA should not be used because of this, just pointing to a related issue that is a big pain for me on slow connections. Perhaps, lerna could check for 401 during publishing and re-ask OTP in this case? |
|
Great point @kachkaev, it's definitely more of an issue with Lerna given multiple packages even if you have a fast connection (this would be the case with Babel). |
|
It seems like ideally there'd be a way to upload to a temporary location with minimal credentials, then have the 2-factor only be needed for kind of committing those bundles to the registry. |
|
Two phase publishes with staging is something we've been talking about. It's a rather substantial platform change, but it is one we intend to see done. |
|
@iarna Cool! I don't doubt that it'd be quite a large change. Thanks to you and everyone at npm for all your hard work :) |
|
I was chatting about this with Ceej today and we may have an alternative and much easier to implement solution for you all: Time-limited tokens. You could create an access token for the purposes of publication that does not require 2fa and is valid for the next 5 or 10 minutes. Then use that during the various publications. Creating the token would require 2fa, but using it would not. And it would auto-delete itself after it times out. |
|
That seems like it'd be a great solution. |
|
That seems like a great solution in general, not just for monorepos. @iarna, any possibility of being able to customize longer periods? Like an hour, perhaps? |
|
Created a thread on npm.community to track/discuss the suggested time-limited token idea outside of this issue. |
TODO: - unit tests (direct + high-level) - figure out how to make integration tests work again refs #1091
TODO: unit tests (direct + high-level) refs #1091
TODO: unit tests (direct + high-level) refs #1091
|
What's the status of the https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all branch? I keep doing local patches of it as it is currently the only solution for using lerna with OTP |
|
Can you point me in the right direction as to which file I need to update/patch to change the studio to "inherit"? Thanks!! :) |
|
Lerna no longer calls `npm publish` in a subprocess, so that solution is no longer possible.
… On Mar 5, 2019, at 15:28, Richard Moore ***@***.***> wrote:
Can you point me in the right direction as to which file I need to update/patch to change the studio to "inherit"?
Thanks!! :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I see. That may explain why the export technique isn’t working for me either then? Is there any existing work around? Even if it involves patching the bin/lerna? |
|
@imaman Can you share your technique for patching? :) |
|
@ricmoo implementation details aside, i've had a ton of success with: https://github.com/ds300/patch-package |
|
@ricmoo: there's a branch called "one-time-password-to-rule-them-all" which contains a proposed solution. Link to the branch: https://github.com/lerna/lerna/tree/one-time-password-to-rule-them-all |
|
@busticated Oh, I meant specifically what lines and files to modify for the purpose of OTP w/ Lerna. :) @imaman Is that safe? I checked it out the other day and it was 114 commits behind... :s (or do you mean just copy the otpplease and co?) |
|
@ricmoo: The actual fix is very small so I selectively copied only this part. Unfortunately, I am away from my laptop for the next 10 days so I can't send you a copy-and-paste snippet. |
|
@imaman No worries, that helps a tonne. I'll copy it over (maybe experiment with a smaller test repo first). :) |
See lerna/lerna#1091 for other options.
|
Published in v3.14.0. Used it to publish it, even. ^_^ |
and others
https://docs.npmjs.com/getting-started/using-two-factor-authentication
Need a prompt to be able to pass this for publishing, etc (right before since not that much time)
EDIT: current workaround is
NPM_CONFIG_OTP=123456 lerna publishThe text was updated successfully, but these errors were encountered: